Millions of people with Mastercard or Visa credit cards will likely be getting data breach notification letters in the next few weeks after a massive data security breach at one of the main companies that processes transactions.
Visa and MasterCard are investigating whether that breach exposed private customer information, bank officials said. The event highlighted a crucial vulnerability that could affect millions of cardholders.
The breach occurred at Global Payments, an Atlanta company that helps Visa and MasterCard process transactions for merchants. One bank executive estimated that about 1 million to 3 million accounts could be affected. That does not mean all those cards were used fraudulently, but that credit card information on the cardholders was exposed.
A bank official, who insisted on anonymity because the inquiry is at an early stage, said that Visa and MasterCard notified his company, but that banks had been frustrated with the pace of disclosure by Global Payments. He said that Global Payments, which is one of the biggest transactions processors, had provided little information on where the breaches took place, how accounts were hacked and other details that could indicate which customers might be vulnerable.
Banks said that when they could identify victims, they would notify them and replace credit cards, if necessary.
That's not enough, according to Jim Van Dyke, founder and president of Javelin Strategy and Research, a Pleasanton-based company that provides information for banks and others.
"People are often led to believe that someone's taking care of them. That's usually not the case," Van Dyke said. He said people need to pay extra attention to their accounts after receiving a data breach letter. A recent report from the company notes that as of 2011, those who receive those letters are nine-and-a-half times more likely to be a fraud victim than anyone who has never received a letter. That's up from six times more likely in 2010, four times more likely in 2009 and three times more likely in 2008.
Keeping safe from identity theft, he said, "is all about three things: prevention, detection and resolution."
"Get some protection on your computer. Don't post things on line, like social security numbers, your mother's maiden name, the name of your pet," Van Dyke said. "Monitor your identity."
Van Dyke's company offers a research-based quiz that can tell what a person's likelihood to be a fraud victim.
While far from the largest breach of credit card data in recent years, the latest incident, which is being investigated by major banks and federal authorities as well as the card companies, underscores concerns about the vulnerability of electronic financial data.
As financial services companies have improved security over the past year, criminals have aimed at a specific part of the credit card system: the payment processors that act as a bridge between banks and retailers. Security consultants say the sophistication of these attacks is increasing.
Bank officials said they were told by Visa and MasterCard that the breach occurred sometime from late January to late February, and included what is known as Track 1 and Track 2 data. That includes details like names, card numbers, validation codes and in some cases, customer addresses.